CVE-2023-26053Inclusion of Functionality from Untrusted Control Sphere in Gradle

CWE-829Inclusion of Functionality from Untrusted Control Sphere4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.5%
top 32.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GradleDebian Gradle
Timeline
PublishedMar 2

Description

Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in G

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDgradle/gradle6.2.06.9.4+1
CVEListV5gradle/gradle>= 6.2, < 6.9.4, >= 7.0.0, < 7.6.1+1
debiandebian/gradle

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2023-26053: Gradle is a build tool with a focus on build automation and support for multi-language development2023-03-02

📋Vendor Advisories

2
Red Hat
gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks2023-02-28
Debian
CVE-2023-26053: gradle - Gradle is a build tool with a focus on build automation and support for multi-la...2023